Re: [OAUTH-WG] WGLC on Assertion Drafts

"Zeltsan, Zachary (Zachary)" <> Thu, 05 April 2012 20:33 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4B35F21F85C4 for <>; Thu, 5 Apr 2012 13:33:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -8.599
X-Spam-Status: No, score=-8.599 tagged_above=-999 required=5 tests=[AWL=-2.001, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id EKZR6bjcUe5I for <>; Thu, 5 Apr 2012 13:33:58 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id E141721F85C0 for <>; Thu, 5 Apr 2012 13:33:57 -0700 (PDT)
Received: from ( []) by (8.13.8/IER-o) with ESMTP id q35KXs8o024705 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 5 Apr 2012 15:33:54 -0500 (CDT)
Received: from ( []) by (8.14.3/8.14.3/GMO) with ESMTP id q35KXsG6023112 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Thu, 5 Apr 2012 15:33:54 -0500
Received: from ([]) by ([]) with mapi; Thu, 5 Apr 2012 15:33:54 -0500
From: "Zeltsan, Zachary (Zachary)" <>
To: "'Tschofenig, Hannes (NSN - FI/Espoo)'" <>, "''" <>
Date: Thu, 05 Apr 2012 15:33:51 -0500
Thread-Topic: WGLC on Assertion Drafts
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
acceptlanguage: en-US
Content-Type: multipart/alternative; boundary="_000_5710F82C0E73B04FA559560098BF95B1250DE5716FUSNAVSXCHMBSA_"
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on
X-Scanned-By: MIMEDefang 2.64 on
Subject: Re: [OAUTH-WG] WGLC on Assertion Drafts
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 05 Apr 2012 20:33:59 -0000


The draft, section 6.1 has the following requirement:
The Authorization Server MUST validate the assertion in order to
      establish a mapping between the Issuer and the secret used to generate the assertion.

I thought that checking a signature is a part of the assertion validation, which cannot be done without knowing the mapping between the issuer and the secret used to generate the assertion.
It appears that the quoted text requires validation of the assertion prior to checking the signature.
What am I missing?


From: [] On Behalf Of Tschofenig, Hannes (NSN - FI/Espoo)
Sent: Thursday, April 05, 2012 10:47 AM
Subject: [OAUTH-WG] WGLC on Assertion Drafts

Hi all,

this is a Last Call for comments on these three documents:

Please have your comments in no later than April 23rd.

Do remember to send a note in if you have read the document and have no other comments other than "it's ready to go" - we need those as much as we need "I found a problem".


Hannes & Derek